Accessing external Hosted Exchange 2010 from within SBS2003R2 network (ISA2004)

Posted on 2011-05-10
Last Modified: 2012-05-11
Hi Guys,

I have an SBS2003R2 network with ISA2004 (dual port server, etc)
I'm moving our mail system to a hosted exchange setup external to the local network (all of the DNS is setup and the mailboxes work OK, no mx is pointing to the internal Exchange2003 box)
I have also removed the domains from the recipient policies.

OK I can connect to the hosted exchange server through RPC over http with a PC connected directly on the router (so on the external side of the SBS2003 box)

I can't connect a domain connected PC to the hosted Exchange2010 server using similar methods. What ports etc need opening through ISA2004 to do this please.

I have read that the IP of the remote exchange server needs to be added to the LAT for this but have not been able to verify or obtain any background on this.

Can anyone help please ????

Question by:TrevorWhite
    LVL 23

    Expert Comment

    by:Suliman Abu Kharroub
    does you internal domain name is the same as your external doamin name ? for example

    Author Comment

    Hi Sulimanw
    No the internal domain is WhytecDomain.local external is
    The SBS setup is pretty much OK (I manage a number of these for clients)
    This is the first SBS where I have had to migrate SBS2003/EXCHANGE2003 to Hosted Exchange IE Exchange organisation is external to the local server.

    Can I take it this is doable ???


    Author Comment


    Hosted Exchange is accessed by RPC/HTTP connection. I've been involved with this when accessing SBS Exchange mailboxes through externally connected internet PC's (IE inbound to to SBS box) but makiing an outbound RPS/HTTP connection to an external Exchange mailbox isn't really an SBS operation. Hence I'm stuck as I don't know what ports etc are required through the ISA2004 firewall.

    Can anyone help tonight, I could do with getting this sorted asap.

    Regards in advance


    Author Comment

    Really could do with some help on this guys. I have spent the evening trawling the internet for some info but no conclusion. Small Bus server forum says this should be possible out of the box.

    I have an outlook profile configured with the external exchange address (this was setup with the PC connected directly to the internet through router) all worked fine. As soon as I attache the same PC to the internal subnet (the SBS domain) I get 'Trying to connect to the exchange server' and ultimately 'Disconnected'

    Tried this with the MS firewall client enabled and disabled, still the same.

    Help, don't know how to proceed.

    LVL 23

    Expert Comment

    by:Suliman Abu Kharroub
    while directlly attached... right ctrl+right click on outlook icon on the notification area then connecion status --> how does it connect ? http or tcp ? if http/s then just make sure to create an access rule allowing http/s from internal to external.... if not yet.

    another thing to check, from internal network. test dns:

    set q=mx

    does it return the  correct ip address ?

    do you have a dns zone in your internal DNS server ?

    while outlook trying to connect---> go to ISA monitor and set the filter to client IP address.. and see what is going on... which rule blocks the traffic.

    Author Comment

    Hi SulimanW,
    Thanks for the steering with this !!!
    Direct connection is indeed HTTPS. I can access HTTPS sites from within the SBS domain (I do this regularly to access - which is a customers OWA service) I have also visited some HTTPS test sites.

    The nslookup on gives 'Non-existent domain . . . this is the URL provided for entry in the Exchange server name. The server HTTPS address is This gives :
    Primary Name Server =
    responsible mail addr =
    serial = 1301396667
    refresh 10800 (3 hours)
    retry = 3600 (1 hour)
    expire = 604800 (7 days)
    default TTL = 86400 (1 day)

    I have looked in the DNS and not found a domain zone. I don't recall setting up any split DNS setup in the past either.

    Client IP is
    I setup an ISA log filtered on and the connection is indeed rejected on the HTTPS request. ( 443 HTTPS Denied Connection SBS Internet Access Rule
    I have attached the full log incase it is illuminating.

    So why does the SBS Internet Access Rule reject an HTTPS connection attempt over 443 when other https traffic is passed. Is there a way forward to determine why the request fails ???



    Author Comment

    Whoop, whoop !!!
    All sorted after realisation that is really was a rule based issue in ISA2004.
    I have added a new Internet Access rule to specifically pass HTTPS for all users to from localhost and Internal network. Connections are now made and Outlook syncs up OK.

    Would still like to know why this is necessary. Can you explain ???
    Points are your of course, thanks so much for the pertinant comments and steers.

    LVL 23

    Accepted Solution

    You are welcome :) Glad to hear that..

    I think blow is the cause:
    Does the old rule have localhost in from tab ? if so, then you client is connected to the internet by using webproxy method... and in this case only rules which applied on the localhost will be applied on the clients.

    Author Comment

    Ah yes I follow you.
    Just checked the standard SBS rule and it is for 'All protected networks' so I guess 'local host' is some sort of exception to that even though it is part of the 'protected network' subnet.

    So great work, Sulimanw. Thanks for your time and persistence with this I do appreciate it.

    I'll close this up now and award the points, please do add anything that may be helpfull for others in the future though.


    Author Closing Comment

    One thing to come out of this for me is that 'localhost' is an exception to 'All protected networks'

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Maximize Your Threat Intelligence Reporting

    Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

    Set up iPhone and iPad email signatures to always send in high-quality HTML with this step-by step guide.
    Set OWA language and time zone in Exchange for individuals, all users or per database.
    In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…
    In this video we show how to create an email address policy in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.:  First we need to log into the Exchange Admin Center. Navigate to the Mail Flow…

    761 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    12 Experts available now in Live!

    Get 1:1 Help Now